The invention relates to computer security and in particular to systems and methods for protecting computer systems against malicious software.
Malicious software, also known as malware, affects a great number of computer systems worldwide. In its many forms such as computer viruses, worms, rootkits, unsolicited adware, ransomware, and spyware, malware presents a serious risk to millions of computer users, making them vulnerable to loss of data and sensitive information, identity theft, and loss of productivity, among others. Malware may further display material that is considered by some users to be obscene, excessively violent, harassing, or otherwise objectionable.
A particular kind of malware consists of a code reuse attack. Some examples of such malware and attack include return-oriented programming (ROP) and jump-oriented programming (JOP) exploits. A typical ROP exploit, also known in the art as a return-into-library attack, includes an illegitimate manipulation of a call stack used by a thread of a process, the illegitimate manipulation intended to alter the original functionality of the respective thread/process. For instance, an exemplary ROP exploit may manipulate the call stack so as to force the host system to execute a sequence of code snippets, known as gadgets, each such gadget representing a piece of legitimate code of the target process. Careful stack manipulation may result in the respective code snippets being executed in a sequence, which differs from the original, intended sequence of instructions of the original process or thread.
A typical JOP attack comprises exploiting a buffer overflow vulnerability to create a dispatch table. Such a dispatch table may be used to re-organize the execution of a legitimate thread or process, by making execution jump from one gadget to another in a pre-determined sequence that carries out a malicious activity instead of the original, intended activity of the targeted process/thread.
By re-using pieces of code from legitimate processes to carry out malicious activities instead of explicitly writing malicious code, ROP and JOP exploits may evade detection by conventional anti-malware techniques. Several anti-malware methods have been proposed to address code-reuse attacks, but such methods typically place a heavy computational burden on the respective host system, negatively impacting user experience. Therefore, there is a strong interest in developing systems and methods capable of effectively targeting code reuse malware, with minimal computational costs.